Configuring interface policy

  1. Run the aaa authorization group command.

  2. Specify the group parameter.

  3. Specify the match-command parameter for the desired interface policy.

  4. Specify the access: permit or deny.


If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.

In this example, the network-admin role is denied access to the "policy:interface:A10-A12,A20,L20-L24" interface policy. The sequence parameter is used to give order to the sequence of commands to be executed.

Configuring interface policy rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure interface" permit log

# aaa authorization group "network-admin" 3 match-command "policy:interface:A10-A12,A20,L20-L24" deny log

Since only one interface policy rule can be assigned per role, if access is permitted for A10 to A12, access to the rest of the interfaces is denied for the same role. Similarly if access is denied for A10 to A12, then access to rest of the interfaces is permitted for the same role.